How is CORS bypassed?

L

Leonid2020-05-15 11:39:13

Browsers

Leonid, 2020-05-15 11:39:13

There is a .NET server with CORS enabled. there are no problems with webapi, but there are files with the ashx extension.

At the same time, Postman somehow works with them. The html player tag works the same way.
The problem is that you need to send the authorization bearer header. and now if you try to access the file with javascript, it gives out no access via CORS
Actually the question is - what's the difference? how do postman and tag bypass cors? after all, this is the same http protocol
, what is the general feature of files with this extension that they respond differently than regular webapi

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

R

Rsa97, 2020-05-15
@Rsa97

Postman is a development tool, a browser extension. It intercepts the response before it's even parsed by the browser and ignores the CORS policy.
For AJAX, the request is parsed by the browser, which blocks cross-domain requests if permissions for the necessary methods, domains, etc. were not previously returned by the OPTION request.

I

Ivan Shumov, 2020-05-15
@inoise

If there is a problem with CORS, then there are only 2 options - do your own back or do http reverse proxy